> From: Andrew Brown <atatat_at_atatdot.net>
> Subject: Re: Nmap 2.30BETA20 Released
> To: Justin <jguyett_at_andrew.cmu.edu>
> Cc: nmap-hackers_at_insecure.org
>
> >Idealy nmap would have a module to verify each servce it finds, so that
> >(for example) an open port 443 wouldn't be reported as ssl / http if it
> >isn't acting like a websserver.
>
> verifying that port 25 is an smtp server is relatively easy, likewise
> with 21 being ftp control, 22 being an ssh server, and 23 being a
> telnet server. the daytime and time services are likewise very easy
> to detect since they just spew; they don't accept.
>
> verifying that port 443 is actually an https server is decidedly
> non-trivial, not the least of which is because it waits for the client
> to say something before dropping you. it would require at least a
> minimal ssl stack, and some crypto tools, neither of which belong in
> the world's best port scanner.
FYI FWIW: nmap-web (URL listed below) has a checkbox that basically says:
"try to tell me what is running on the port selected"
It does this by opening up a socket connection and snarfing what is
returned. Only a few well-defined services are setup (for instance,
it will send a "POST / HTTP/1.0" to port 80 to get the web server info),
but this could easily be expanded.
You can also define an EXPECTED string ... and if you do NOT get that;
then it will highlight it in red. This is useful for instance if you
have a 1,000+ machines and you want to know which ones are NOT running
sendmail8.9.3 ... useful to catch the "stranglers" so you know which
ones to fix.
alek
P.S. nmap-web is linked to from the nmap home page and is at:
http://www.komar.org/komar/alek/ -> Misc. Tech Stuff -> nmap-web
Received on Apr 21 2000
Intro
